Module-info not reproducible due to rogue timestamp
A248 opened this issue · 3 comments
I had originally followed the Maven guide for reproducible builds and set the project's project.build.outputTimestamp to a fixed value. I was able to create reproducible builds without having to use this plugin.
However, once I added module-info, I began receiving different hashes. Using diffoscope I determined the timestamp across 2 builds was constant for all but the module-info.class:
│ -rw---- 2.0 fat 862 bl defN 20-Oct-17 00:40 space/arim/libertybans/api/select/SelectionOrder.class
│ -rw---- 2.0 fat 1113 bl defN 20-Oct-17 00:40 space/arim/libertybans/api/select/SelectionOrderBuilder.class
│ -rw---- 2.0 fat 2285 bl defN 20-Oct-17 00:40 META-INF/maven/space.arim.libertybans/bans-api/pom.xml
│ -rw---- 2.0 fat 74 bl defN 20-Oct-17 00:40 META-INF/maven/space.arim.libertybans/bans-api/pom.properties
│ --rw---- 2.0 fat 557 bl defN 20-Oct-25 12:39 module-info.class
│ +-rw---- 2.0 fat 557 bl defN 20-Oct-25 12:41 module-info.class
Note the + and - which are diffoscope's way of indicating the difference between the .jar files. Here the project.build.outputTimestamp is on 17 October. As shown, though, module-info has a rebellious timestamp.
Relation to reproducible-build-maven-plugin
This seemed a bug in the maven-compiler-plugin, so I decided to see if this plugin had a solution for this. However, adding the plugin yielded the same issue – the current timestamp is applied on module-info.class even though all the other files in the jar have the timestamp defined in project.build.outputTimestamp.
Additional Information
I considered JDK-8240734 as a possible cause of the issue. However, this problem occurs both on JDK 11 (build 11.0.8+10) and JDK 15 (build 15+36) and with and without reproducible-build-maven-plugin on each JDK version. module-info is consistently the culprit.
I'm planning to report this same bug to the maven-compiler-plugin.
Hi! Thanks for reporting this issue, I'll have a look at it. Is it the zip timestamp you are talking about? Because this plugin sets the same timestamp for all the files inside a jar file, so module-info.class should have the same (zip) timestamp as the other files.
I'm very sorry, I wasn't running the pre-integration-test phase as package does not encompass it, so reproducible-build-maven-plugin was not activating.
reproducible-build-maven-plugin does solve the problem. The bug is in the maven-compiler-plugin.